search

StackExchange / dnscontrol

Infrastructure as code for DNS!
https://dnscontrol.org/
MIT License
3.13k stars 399 forks source link

Idempotent #2399

Closed gedw99 closed 1 year ago

gedw99 commented 1 year ago

Am wondering if it’s Idempotent ?

The docs and code don’t show this , unless I missed it .

It’s important that if multiple actors like sone control plane requests to have a dns setting applied, that race conditions onto the actual DNS do not occur.

there are reconciliation patterns that can ensure Idempotency too. It’s a man in the middle that checks the actual DNS settings are your DNS DSL to apply only what “makes sense” . What makes sense is determined by generating a diff and path often.

tlimoncelli commented 1 year ago

Excellent question!

If dnscontrol is the only thing accessing a domain, it is idempotent. That is, running dnscontrol push twice is safe, and the second push will be a no-op.

If something else is also updating the domain, there is the potential for conflicting updates. In that case, the two systems may flap back and forth between each configuration. However, the NO_PURGE and IGNORE() features permit you to handle that situation by ignoring updates from the other system.

Is there a particular use case or situation that raised the issue? The more I understand the better I can help!

gedw99 commented 1 year ago

Boy that was quick @tlimoncelli

Thanks.

my use case ….

I accounted for the race condition of some actor accidently messing up the DNS settings in the Caddy Issue.

https://github.com/caddyserver/caddy/issues/5557

It’s at the bottom ! It’s the classic split brain thing where someone did not know that sone web server relied on those DNS settings..

it’s a simple job that checks that what you want is what you got. It has to be a job as DNS providers typically don’t fire web hooks on a change to records. That would just be too easy :) Some do though I think. Either way a job that poles in is probably the lowest common denominator solution for Caddy .

It is probably something other systems like caddy also could benefit from too. So makes me wonder if this is a good idea for DNS Control to provide in some capacity in terms of API ?

it would do a compare and tell you what is different between the DSL and the real DNS..

tlimoncelli commented 1 year ago

Please move this discussion to the https://groups.google.com/g/dnscontrol-discuss email list.